Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

schwit1 writes "Fox News has an AP story on a hacker in San Francisco driving around and needing as little as 20 minutes to be successful in acquiring a passport number: 'Zipping past Fisherman's Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians' electronic US passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he'd "skimmed" the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet. ... Meanwhile, Homeland Security has been promoting broad use of RFID even though its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.'"

Are you required to carry your passport with you even when you aren't crossing the border (including international travel at airports)? If not, wouldn't the tracking only show that you're always in your bedroom? And if so, I think that may be a somewhat bigger problem.

Not in the US. I'm not sure how that is handled in other countries though. I know a lot of international students in the US voluntarily surrender their passport to the dean's office, which will hold them in a secure place, since students tend to lose important documents like that easily. I've taken more than a few couch surfers out drinking only to realize their government issued ID is in Lousiana, California, or D.C. due to this.

In many countries, yes, you are required to carry your passport. The US may be one of those countries. (N.B.: Just because you can substitute some other form of ID, e.g. driver's license, doesn't mean that a non-resident can do the same.)

Who the Hell carries their passport around all day in their home country? Most of the time I imagine it would be sitting in a safe place at home.

Here in the Netherlands we have to be able to prove our identity any time the police asks for it. The only way accepted by them is to show your passport, so we officialy HAVE TO carry our passports with us any time we are outside.Thank you America and your 'War on Terror' to give our political creeps an excuse to put that one through our throats!

Here in the Netherlands we have to be able to prove our identity any time the police asks for it. The only way accepted by them is to show your passport, so we officialy HAVE TO carry our passports with us any time we are outside.Thank you America and your 'War on Terror' to give our political creeps an excuse to put that one through our throats!

You really found a way to blame your country's [perceived] fascism on another country thousands of miles away? Congrats.

Sadly, Poingggg is voicing an ever more common popular Dutch adage: "most of the world's current problems are America's" fault. And an American making a quip about it will probably garner little more than a "Typical" from the likes of Poingggg.

Being Dutch myself, I would like to add that Poingggg is wrong, or at least woefully incomplete. We -are- required by law to be able to show our ID, however we are not by law required to carry it. This may seem silly, since you need to carry it to be able to show it, but what it means is that police are not allowed to ask for ID unless you are under suspicion of some other offense (that is, other than not carrying your ID).

Also, the ID produced does not have to be a passport. Dutch driver's license or Dutch identity cards are also accepted valid IDs. Additionally, the law only applies to people over the age of 14.

So, the only people at serious risk from getting their ID's copied as described (when not using a tinfoil wallet) are people in the age range 15-18 (impossible to get a valid driver's license), foreigners (only a passport, or some specific documents pertaining to asylum and long-term stay will do) and people unable or unwilling to get a driver's license.

And sofar, the only people fined for not being able to produce the ID have been - to my knowledge - people who refused to produce it (even when allowed to retrieve it from elsewhere) or people who committed some other punishable offense in addition to not carrying the ID.

You act as if they were interested in your security at all.Which just shows how effective their strong twisted reality is. It even affects you to the point where you believe they would be acting ouf of the interest of the people.:)

Don't worry, we all fell for it. As long as we learn from it, that is ok.:)

You forget that they themselves will be just as trackable. As a politician I would be very worried about that. For some reason though, they seem to not care, which I find weird. So either they really don't care, or they just have not clue. What do you think it is?;)

If you shove your passport in a simple metal lined sleeve, this tech isn't trackable.

It is stupid that it is necessary to do so (the convenience gained is minimal), but if it a symptom of a government conspiracy, it is good to know that they are wildly incompetent. Or at least, they want us to think they are wildly incompetent. Oh no!

It's not that they're wildly incompetent. They invest in a thicket of things that are an annoyance to avoid. Most people will slip somewhere. It doesn't matter that you won't slip in this place...or think you won't...they aren't that interested in you. And they could track you by other means if they were.

check back with me in a couple years.. I'm betting you won't like him then...

I cringed as I voted for Obama. But as I said during the campaign McCain scared and Hillary terrified me. I was hoping that at least Obama would take the advise of some economists of the Chicago school of economics [wikipedia.org].

I'm Canadian and went to renew my passport on Friday. My existing passport was still valid for a couple more weeks, but the woman across the desk thought it was expired as her machine didn't read it. She told me this, and I explained to her with a straight face that maybe that was because I'd microwaved my passport (I hadn't really).

Or how about just not using RFID at all? I don't see why passports can't use the same style chip as used widely in credit cards and debit cards.

Even the chips in credit cards aren't needed. Some years ago my credit card issuer stopped using them because the usefulness didn't justify the expense. Now if I want, such as to order something online, my issuer will issue a one tyme use credit card number.

No, people shouldn't have to pay $20 for a way to make this technology safer. The government should improve their own shielding, and use more secure protocols [wikipedia.org] for RFID transmission.

People should only be worried about safety from government. And government shouldn't be using RFID nevermind IDs. It used to be that people in the US could cross the US Mexico border and the US Canadian border, which I've done a number of tymes, without needing a passport.

Many smart cards are dual purpose, and have RFID along with it. I'm actually surprised whenever I come accross an RFID card that is not also a smart card. If you read their descriptions a little closer, you'll notice that they are targeting employees working for companies with just such smart cards. That logo is something any smart card user will recognize. It's also a really really good idea to have something other than just wireless to read the card if you are using it for anything more than a door pa

You just need to buy an RFID shield for your passport and you can put your mind at ease. Unless, of course, you want to worry about how they don't work.

Thanks for the interesting links!

As others have noted, your analysis isn't quite correct. For those who don't want to watch the whole video in your second link, here's a summary of what it says. It demonstrates a security vulnerability. The vulnerability does not involve theft of data, because there's encryption built into the passport. What it demonstra

- Speak English - A lot places other than the USA speaks english- Dresses like an American - Agreed- Carry Cameras - Have you ever seen a Japanese Tour Group. They have more cameras than people

I'd add however- Have name tags attched to their clothes with names like 'Chip', 'Bud' & 'Hank'.- Only willing to eat Steak & French Fries unless it is a BigMac. (even in places where there are no Macdonalds...)

Seriously though, Americanes are about the easiest Nationality to pick

You wouldn't steal data. You wouldn't be "singling them out" for direct attack. You would, though, leave things that would instill terror behind that looked for these passports.

The video's bogus (It looks too smoke and mirrors for them to have actually DONE the exploit they're talking to...), but the risk is actually very real- especially considering that it'd only cost $500 above the cost of the explosives to set up a car-bomb or similar that wouldn't go off until it saw an Ame

But the threat in the video is farfetched, because there are much easier ways of finding American tourists.

I don't think the author is making the claim that RFID is the best way to ID Americans. I agree with you that there are much better ways for a human to ID an American. But what about an explosive device, as shown in the video? Modern terrorists use remote explosives to time an attack for most destruction and/or destruction of Americans as opposed to sympathetic locals.

It would be much easier to build a device that will only blow up if X number of Americans are in its kill range. This device could be cons

The only problem I have is that while Flexilis may have a good point, the video you linked to is rubbish as far as proving their point. It could just as easily have been a rigged thing for their "demo". They needed to show things just a bit better than that- it's all smoke and mirrors with it as it is now.

I'm sorry, did you have some kind of point? The story was talking about San Francisco.

Were you kidding?

If US passport data can be easily acquired in San Francisco (where US citizens generally don't carry them), then it follows that said data will be abundant in areas where people are likely to carry passports. Somalia was just an example. Replace it with your favorite vacation getaway spot, if you like.

Well, as Fisherman's Wharf is a tourist attraction, I would think that the majority of the people are tourists.

And about the part that says about what people should do, people should design a secure system where one of the factors is that people WILL carry them around on Fisherman's Wharf. Do not blame the users for usage, blame the designer for not putting it in the design.

The 'stupidity' of the users is well known and well documented. Persons are smart, people are stupid. If you deal with security, that is what you have to think about. If you don't, your design will be flawed.

San Francisco is a little farther from Mexico than a simple day trip drive. Over 8 hours one way, and that is just to get to San Diego. Add another hour in line at the border crossing and you easily have a 9 to 10 hour trip one way, sometime encroaching 12 hours depending on a day.

Funny, I've made it from San Francisco to San Diego within a couple of hours many, many times. Is it magic? Am I lying? Or... maybe... I traveled on a plane. Commuter flights are plentiful and cheap, and regular trains run between the cities as well. Also, SF is a common stop on flights going to and from various Vancouvers, including the one in Big Canadia.

[sarcasm]Yes, heaven forbid the United States catch up with the rest of the developed world and get a system that works better [photius.com] while costing less [photius.com].[/sarcasm] Passport security and health systems have nothing to do with each other, please let you brain do the thinking, not your mouth or your gut.

The U.S. doesn't make any passing attempt at running an efficient health care system. For people that can afford it, spectacular care is available here.

So the well off have plenty to fear from government intervention, they face the potential for higher taxes and the potential for lower availability of care (vast amounts are spent on extreme measures in the U.S.).

Sure, it would probably be healthier for us as a society to provide a more equitable system, but let's not pretend that it is going to be better for everyone.

I live in Finland and we do have a public healthcare system here. That doesn't mean that here wouldn't also be private healthcare available. Those who dislike the public system (which works pretty well but is underfunded so waiting lines can be hours long in any non non-emergency case) can go to the private clinics. In addition to competing with each other, private clinics also need to compete with the public health care. It sets some kind of a status quo of "If you don't manage to offer extremely good service, people will just use public healthcare".

So I don't think that the wealthy do need to worry about potential for lower availability of care. Public healthcare just gives best of both worlds... In theory.

Recently (within the past decade) right wing government has been trying to change the way that public healthcare works here. Instead of having doctors who work for the government they try to have government buy services from private companies. In practice this works horribly.

Government buys from the company that offers services for cheapest but that lowers the quality. And even those companies have higher prices than what government would pay directly to the doctors as the companies try to make profit. So it is slowly changing from "The best of both worlds" to "The worst of both worlds".

One example of this is a hospital near me (Peijas in Itä-Vantaa). It used to be managed by the government but then there was a decision to privatize (if that's a word) the emergency duty. Now, if you go there complaining that your chest hurts, you might still need to wait four hours in the lobby before a doctor sees you but if they deem that you need further care and send you to the main part of the hospital... You get EKGs taken, evaluations from several doctors and so on, all for completely free of charge. (Speaking from experience here.)

So even with the "worst of both worlds" it works somehow (which is good because I really couldn't have been able to afford the treatments in a private clinic). I just fear what happens if the rest of the hospital services will be bought from private companies too.

Public healthcare can be done very well or very poorly depending on how it is implemented.

As for taxation... Yeah, it raises. Can't deny you there. As a rather decently earning programmer I pay nearly half of my wage as taxes (then again, that is more than free healthcare. It includes, among other things, that government funded my university education and insured my student loan). You are wrong to assume it will hurt the wealthy, though. It uses the people who don't use the services.

Whether you are wealthy or not, having higher taxes that provide services that you use are fine. Higher taxes hurt those who rarely have to visit a doctor, they hurt those who don't go to an university and so on. Others would have had to pay that money anyways, it just wouldn't have gone to government but directly to the private companies that provide the services. And the result might not have been any better.

Well, if it's like in Québec, we still have to pay for college. It's very subsidized, so we pay a little less than 2k$ a year. The loans are there so you can concentrate on your studies instead of working full time. Most people will work part time though.

And we can choose our health care. The only difference is that the doctors are paid by the state instead of by me. Only my doctor can make health care decisions, not a faceless bureaucrat or a CS rep from an HMO. And because there's no administrative o

As bad as private bureaucracies are, public bureaucracies are worse, at least in the US. In the US, a government entity gets funding based largely by how much they spent the previous year - and not in a way that incentivises efficiency. When an entity does not spend all of their budgeted money, not only do they not get to use that money in the current year (because they ran out of things to spend it on), that amount usually gets dropped from their budget for the next year! Which means if they don't need

Exactly. It's sad to say, but most people are too stupid to save up for the right things. They'd rather buy that new HD television now than worry about their broken leg five years from now. A public health care system increases preventative care (which is cheaper and more effective) and is a way to force people to save for emergencies, rather than going to the emergency room. So if you're smart enough to know how to manage your health, just be glad not as many of your tax dollars will be going to idiots

truly spectacular care is in Europe these days, sadly the US healthcare system has defeated itself due to the cost of doing business here for most physicians. What America has is the _perception_ of good healthcare, however, just because sombody has a specialist for every ailment doesn't mean they're getting remotely good healthcare. in the US there are typically around 12 Doctors involved in the average Americans healthcare. have you ever been to a doctors office? do you know how busy- especially a decent

If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!

We live in a country that is protected by a military funded by the government
If my house is on fire, the fire is managed by a fire department funded by the government
Law enforcement is provided by a police or sheriff's department funded by the government
I drive to work on roads whose maintenance are funded by the government
I was educated at public schools funded by the government

(just to name a few government services that are entitled to US citizens)
If you would rather not have any of those se

If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!

We live in a country that is protected by a military funded by the governmentIf my house is on fire, the fire is managed by a fire department funded by the governmentLaw enforcement is provided by a police or sheriff's department funded by the governmentI drive to work on roads whose maintenance are funded by the governmentI was educated at public schools funded by the government

I wonder how long it will take before credit companies, homeland security and other rfid pushers join forces to create a implantable credit card/passport/whatever-service-you-can-think-of rfid chip. For your own protection and convenience, honest...

I cannot imagine that even a SINGLE conversation with someone mildly conversant in basic security, no, just having common sense, would not have indicated that uncontrolled ID reading from a distance was a VERY VERY bad idea. It suggests to me that such a conversation was either not had, someone has a LOT of shares in RFID manufacturing or there is something else behind this rush to promote even more ID theft.

You can read ID from a distance which means it's now possible to create hidden bombs that lie dormant until there are enough people of a certain nationality nearby, it's possible to clone an identity and I suspect it won't be long before you can edit the biometric, making the theft of your LIFE complete because of "the 'pjuter is always rite" syndrome.

In the process other associated idiots are building up databases which are unnecessary (it works prefectly without) and which are a reversal of approach - normally your identity is only collected AFTER you have committed a crime, not BEFORE. You're now guilty until you prove it wasn't you who left a cloned identity behind. All of that without you noticing someone has been near to your passport, you no longer have control over who sees the data. Hello girls, welcome to stalking v2.

Actually, if you want political emotional scare stories, as the EU has now made one passport per person mandatory, it's also "Hello kids, welcome to 'brief your local paedophile'".

It would be really good if the clowns who dream up such stuff would be the first to suffer the consequences, all of them. Because I don't think they will learn otherwise - this is causing risk, not fixing identity issues./rant

The cards discussed in this article strictly provide a number, so they are just being used as a glorified barcode (maybe they have some security features that a barcode doesn't, but the guy scanning the numbers already knows how to bypass them, so they are irrelevant); a barcode is just as easy to link to a government database and introduces all the same problems with securing the database, so the only additional threat created by the RFID here is the ability to track the person holding the card (leakage of

I wrote about RFID landmines here [slashdot.org] on Slashdot, about five years ago.

It's nice to see that someone else besides me is sufficiently realistic to understand that this can be a real problem. And it's cheap: I don't know what RFID standard passports are using, but various readers on Ebay don't seem to creep much above the $50 mark. Add a microcontroller and some code (which, of course, can be open-sourced amongst other terrorist organizations), along with a little supporting hardware, and you've got yourself a trigger for a device for less than, say, $200 and a few days/weeks of study by an aptly-minded person.

That $200 isn't much money at all, even for a third-world organization, for an attack which is nearly guaranteed to kill one or more civilians of any country which institutes standardized RFID identification. And the best part is, they get to pick and choose which country is the enemy this week when deploying the things.

Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown. I don't think this is part of some massive systems to track us. Unless the U.S. is setting up this massive trackng network on cruise ships and all over foreign countries... I don't think it will suck in much.. unless of course they enjoy getting receiving data from my passport that always reports that I am 1) at home or 2) on my way to the airport. Seriously.. what U.S. citizen carries their passport everywhere they go domestically?

Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown.

If you're not actually interested in this issue, why do you even bother to comment?

I can TELL you're not actually interested, because you don't understand that the primary problem has nothing to do with our government, and has to do with the potential use of RFID tags to safely and clandestinely identify and track American targets in other countries, for purposes like the taking of hostages.

The government already has vastly easier ways to track Americans using RFID that don't involve passports, which most o

If these were passports or passport cards ?.. Most people here don't carry their passport around with them all the time.. However those new cheapo passport cards (for Canada, Mexico, the Caribbean, and Bermuda) are much smaller and more portable and I can see people keeping them in their wallet.

I realize that both are vulnerable.. Sadly I have to get a passport renewal in 2010, and not looking forward to having a chipped one. I'll be getting the full one again (can see the point in limiting travel possibil

Meanwhile, Homeland Security has been promoting broad use of RFID because its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.

So if I can get my RF scanning equipment within 20 feet of you, I can get the passport office's unique identifier for you. (Where can I use that identifier besides the passport office?) As a tracking strategy, one scanning device every 20 feet is going to be an expensive grid.

Good thing the whole country's already wired for cellphone service and service providers share connectivity in support of roaming. Lord knows how many people can track your whereabouts right now.

I need to get a passport soon, but this issue kind of concerns me - people who think those of us who are concerned are being overly paranoid just don't get it - just because there isn't anything disturbing happening with these things right now at this moment (that we know of) doesn't mean that we know things will remain copacetic in the future...Once the apparatus for widespread monitoring/tracking is in place, it's in place - it isn't a good or a bad thing, it's a tool that can be used in either manner.

Just to clarify, these are passport cards which are a hard plastic card that can only be used to travel between Canada the US and Mexico. The "Real" passports also have an rfid in them but they have a faraday cage built into the cover so they can only be picked up when opened.

A lot of times, you have a photo of the "suspect" who's movement you want to track (either from other surveillance, or a mugshot - or even from their passport phot. The reason you're told not to smile is because the P.R. software has a harder time dealing with it - same with glasses wearers.). All that's needed is to feed the photo into the recognition system and give it all your CCTV footage to crunch. This is how surveillance societies like Britain tend to do it now.

You're right though, that you can't just type in "tell me where Joe Soap went on thursday afternoon" into the system and get an list of his/her whereabouts, but for targeted individuals, tracking without their permission has been available for some time.

Those billion cameras are primarily a reactive system, not proactive. While they were initially sold on the public as a crime prevention and safety thing, they don't exist that way any longer. I guess in many ways it is a good thing that there are just too many to be monitored in real time. This makes your simple trip to the store utterly irrelevant and not of interest to anyone - but if your trip happens to coincide with some idiot crashing his car in to the aforementioned store, knocking you down in the process, then someone, be it insurance, police, ambulance, or whatever, might dredge it up for review. All in all you and I are just lost in the noise while the only valuable signal makes the nightly news.

RFID is a pretty good filter if your aim is to create a choke point (i.e. immigration counters) - you can file people past a scanner, snap off their picture without them knowing, have a drone somewhere do a comparison with the databased image, or run it through your super computer in the basement to do it for you.

I severely doubt we (currently) have facial recognition hooked up to the network of CCTV in this country, but what we do have is ANPR - automatic number plate recognition - all over the place.

There are very obvious cameras around that point clearly at the lanes on major roads which are logging all vehicles using major routes. I should think ANPR also gets hooked up to existing CCTV infrastructure too.

And the police seem to routinely have ANPR in their cars these days too. Well, maybe not the "panda cars" th